Access Platform via SSH

| June 26, 2014

Earlier this month we announced a release of the platform version (2.2) which brings you many new features and functions. One added functionality is the ability to access your containers via SSH. Today, we’d like to provide a general overview of this feature.

Overview

SSH (Secure Shell) is a protocol used to connect securely to a remote container and execute the required commands on it. SSH commands are encrypted and secure: client/server connection is authenticated using a digital certificate, and passwords are protected by being encrypted.

To make SSH access available in the platform, a new infrastructure component was added to the core - SSH Gateway. SSH Gateway accepts users’ connections from the internet and then transmits these connections to the desired container, using an internal network.

platform SSH connection scheme

The authentication procedure in SSH Gateway is divided into two independent parts:

  • connection from end user to Gateway (external authentication)
  • connection from Gateway to users’ container (internal authentication)

Both parts of the authentication procedure are based on a standard SSH protocol, using public/private keypairs.

With SSH Gateway, you can easily access:

  • the whole account where you can navigate across your environments and containers using an interactive menu without extra authentication SSH Gateway scheme
  • separate containers directly while working with them remotely via additional tools (e.g. Capistrano) or using SFTP and FISH protocols SSH connection via Gateway

While accessing containers via SSH, a user receives all required permissions and additionally can manage the main services with sudo commands of the following kind (and others):

sudo /etc/init.d/jetty start

sudo /etc/init.d/mysql stop

sudo /etc/init.d/tomcat restart

sudo /etc/init.d/memcached status

sudo /etc/init.d/mongod reload

sudo /etc/init.d/nginx upgrade

sudo /etc/init.d/httpd help

Note: If you deploy any application, change the configurations or add any extra functionality via SSH to your environment, this will not be displayed at the platform dashboard.

In addition, we provide support of SFTP (Secure File Transfer Protocol) by implementing the threaded daemon for SFTP connections processing. It lets you access, manage and transfer files directly to the container via SSH gateway, and in such a way, ensures data security.

An additional secure network protocol is FISH (Files transferred over Shell protocol). It is supported by a number of popular FTP-clients and file managers (e.g. Midnight Commander, Konqueror, lftp, Krusader, etc) and permits a user to securely access and manage a container’s file system.

Below we’ll describe how to:

Generate SSH Key

The steps of SSH key generation depends on the system you use:

For Linux/MacOS

Generate a new SSH key (the RSA type is required) using the ssh_keygen tool:

Note: DSA keys are not supported by the platform due to insufficient security level.

1. Initiate generation with the following command:

$ ssh-keygen -t rsa

generate RSA key

2. You can view the value of both public and private SSH keys with the cat command (the exact location is circled in the image above). For example:

$ cat /home/jelastic/.ssh/id_rsa.pub

3. Copy the generated SSH key.

For Windows

1. Download and run an SSH keygen tool, for example, PuTTYgen:

PuTTY keygen tool download

2. Specify the following parameters:

  • choose SSH-2 RSA key type
  • enter the desired number of bits (e.g. 2048)
Note: DSA keys are not supported by the platform due to insufficient security level.

PuTTY generate RSA key

Click Generate.

3. Copy the generated key from the output field at the top of the window.

PuTTY view public key

Add SSH Key

Now, you can add the generated SSH key to your account.

1. Open the platform dashboard and navigate to the upper toolbar.

account settings

Click the Settings button.

2. In the opened User Settings tab, navigate to an SSH Keys > Public Keys section.

SSH Keys settings

3. Click the Add Public Key button and paste the previously generated key to the required Key field. The Name field will be automatically populated if your key already contains this value.

add public key

Click Add.

4. As a result, the added SSH key will appear in the list.

public key added

In this way, you can add several keys or delete any if they are unnecessary.

Note: The added SSH key is attached to your account, but not just to a separate environment.

SSH Access to Platform Account

Now let’s see how you can access your platform account with all of its environments and containers via SSH.

Open the dashboard and navigate to the upper toolbar.

account settings

Click the Settings button.

In the opened User Settings tab, navigate to an SSH Keys > SSH Connection section.

Here, you can see information required for accessing an account, including an SSH connection string (circled in the image below).

SSH connection info

Tip: Within the right part of the section you can establish Web SSH connection to any node directly in browser.

Depending on your OS, you need to perform the following steps:

  • Linux/MacOS/FreeBSD

Open your terminal and execute the SSH connection string.

SSH access via terminal

  • Windows

Download and run your SSH client (PuTTY as an example).

Navigate to the Session tab in the left-hand list and fill in the Host Name (or IP address) and Port fields in accordance with your SSH connection string.

SSH access via PuTTY

Tip: Note: In order to add your private SSH key with PuTTY, download and run Pageant tool, click the Add Key button and choose the appropriate SSH key file.add private key PuTTY

1. Once connected, you will see a list of environment groups (with a number of containers within provided in brackets) and ungrouped environments available for your account. Select the required point by entering the appropriate number.

cloud account via SSH

Only running environments can be accessed.

2. After selecting an environment, you’ll see a full list of its containers, which are grouped by layers. Herewith, the master node (required for clustering, scaling, cloning, etc) is designated with the [M] mark.

cloud environment via SSH

Also, each container is provided with nodeidLAN IPWAN IP and Alias data. In order to access the required node just enter its number.

Direct SSH Access to Container

You can also "jump" directly to the necessary container, skipping the steps of choosing an appropriate environment and node. Just state the appropriate container ID (can be seen at the dashboard next to the corresponding node) at the beginning of the connection string.

node ID

For example, in order to access the Tomcat container, which is shown in the image above, you should add the 36864- prefix to the default account connection string in the following way:

ssh 36864-4701@gate.jelastic.com -p 3022

Such a possibility can be useful for automatization scripts or for setting up application configurations.

Conclusion

We hope that this information will be useful for those of you who would like to delve deeper into the advanced features of the platform. More details can be found in our additional documentation. In our next publication, we will provide you with details on SFTP and FISH protocols for accessing containers via SSH. Stay tuned and remember that with us you always get more!